Android Malware Family Downloads Paid Media and Apps

We spotted a family of Android malware that downloads apps and paid media files without users’ consent, leaving victims with unwanted charges. These are Trojanized versions of the legitimate weather forecast tool GoWeather and are detected by Trend Micro as ANDROIDOS_TROJMMARKETPLAY.

During our research, we acquired three samples of this malware family. One of the samples (detected as ANDROIDOS_TROJMMARKETPLAY.B) appeared to be in a beta build in comparison to the other samples. We found a lot of test information and codes in it, some of which gave clues as to the possible perpetrator behind it.

Android Malware Leave Victims with Unwanted Charges

Let’s now focus on the sample that we suspect to be a beta build. Once installed, ANDROIDOS_TROJMMARKETPLAY.B changes the access point name (APN) to CMWAP which enables the device to log in automatically to the third-party app store M-Market. Users who login for the first time are prompted with a charge pop-up window. The malware then closes this window and opens a page on M-Market to find and download paid apps or media. This routine leaves victims to be charged for apps and media that they did not intentionally download.

Typically, users should receive a verification SMS from M-Market and are required to reply with a verification code. In this instance, however, the malware intercepts and replies to the SMS so that victims won’t suspect anything. For the CAPTCHA image, the malware downloads the image and sends it to a remote server to decode. The decode server’s domain name is in the configuration file yk-static.config. There are several other configurations in the file, including a phone number which is used to send SMS. The domain name filed is used to store the decode server’s domain.

We also observed notable changes in ANDROIDOS_TROJMMARKETPLAY.B. In comparison to another malware sample of the same family (detected as ANDROIDOS_TROJMMARKETPLAY.A), this beta build has a feature to update itself. Its method in intercepting and replying to verification SMS is also different. The .B variant uses a database, while the .A variant uses a file to store the verification code. Moreover, .A has a code used to find paid media files.

Beta Build Android Malware Reveals Details of Cybercriminal

We concluded that ANDROIDOS_TROJMMARKETPLAY.B is a beta build because we found a test code and some information about the malicious user behind this malware. There was even a private IP address in the URL as well as test functions, which included the send SMS feature. From this function, we found the following phone numbers:

{BLOCKED}32046

{BLOCKED}56246

{BLOCKED}30884

Since the malware was used for a test, these phone numbers must have been employed by the cybercriminal. We also found that these numbers pointed to Guangdong Guangzhou Province, China, but this was not enough proof that the perpetrators were based in the said location. Another interesting aspect we saw in the code was the word “yunkong”, which appeared many times and is probably the name of a particular individual/entity/organization behind this malware.

The number {BLOCKED}56246 is still being used by the cybercriminals to receive and initialize SMS. By monitoring these numbers, we can find more information about the perpetrator.

For the meantime, users are strongly advised to be cautious when downloading apps from third-party app stores as this may lead to malware infection. Trend Micro protects Android mobile users from this threat via Trend Micro Mobile Security Personal Edition, which detects malware disguised as apps. To know more about how to protect your Android devices from being infected, you may refer to the following Digital Life e-guides: